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Memorandum of Understanding between the Information 
Commissioner and the Investigatory Powers Commissioner 


Introduction 


f: 


This Memorandum of Understanding (MoU) establishes a framework 
for cooperation and information sharing between the Information 
Commissioner ("the IC") and the Investigatory Powers 
Commissioner (“the IPC”), collectively referred to as "the Parties" 
throughout this document. In particular, it sets out the broad 
principles of collaboration and the legal framework governing the 
sharing of relevant information between the parties. The shared 
aims of this MoU are to enable closer working between the Parties, 
including the exchange of appropriate information, so as to assist 
them in discharging their regulatory functions. 


This MoU is a statement of intent that does not give rise to legally 
binding obligations on the part of either the IC or the IPC. The 
parties have determined that they do not exchange sufficient 
quantities of personal data to warrant entering into a separate data 
sharing agreement, but this will be kept under review. 


The role and function of the Information Commissioner 


3. 


The IC is a corporation sole appointed by Her Majesty the Queen 
under the Data Protection Act 2018 to act as the UK’s independent 
regulator to uphold information rights in the public interest, 
promote openness by public bodies and data privacy for individuals. 


The IC is empowered to take a range of regulatory action for 
breaches of a number of pieces of legislation and regulations. 
Further information on the IC’s statutory responsibilities can be 
found on her website at: 


https://ico.org.uk/about-the-ico/what-we-do/ 


Functions and powers of the Investigatory Powers Commissioner 


5. 


The IPC is an independent statutory office holder established by the 
Investigatory Powers Act 2016 to provide oversight and 
authorisation of the use of investigatory powers by the intelligence 
agencies, police forces and other public authorities. The IPC is 
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supported by the Investigatory Powers Commissioner's Office 
(IPCO’ - an arm’s length body) consisting of a team of Judicial 
Commissioners, inspectors and other staff. The IPC may delegate 
his functions to the Judicial Commissioner and his staff. The IPC is 
further supported by the Office for Communications Data 
Authorisations and Technology Advisory Panel, whose activities fall 
outside the scope of this MoU. 


Further information about the IPC’s responsibilities can be found on 
IPCO’s website at: 


https://www.ipco.org.uk/ 


Purpose of information sharing 


7. 


The purpose of the MoU is to enable the parties to share relevant 
information and experience which enhances their ability to exercise 
their respective functions. 


This MoU should not be interpreted as imposing any requirement on 
either party to disclose information. In particular, each party must 
ensure that any disclosure of personal data pursuant to these 
arrangements fully complies with both the GDPR and the DPA 2018. 
The MoU sets out the potential legal framework for information 
sharing, but it is for each party to determine for themselves that 
any proposed disclosure is compliant with the law. 


Principles of cooperation and sharing 


9: 


10. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 
each Party will alert the other to any potential breaches of the 
legislation regulated by the respective organisation which is 
discovered whilst undertaking regulatory duties, and provide 
relevant and necessary supporting information. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 
the Parties will: 


e maintain a working liaison through a nominated point of 
contact to regularly discuss matters of mutual interest (this 
may involve participating in multi-agency groups to address 
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common issues and threats)- see Annex A for points of 
contact; 


e Consult one another on any issues which might have 
significant implications for the other organisation, including 
sharing draft policy positions where appropriate; and 


e Conduct joint audits where appropriate, providing expertise in 
relation to relevant areas of responsibility. 


The Parties will comply with Government security requirements 
relating to the processing of data unless this is incompatible with 
the discharge of their statutory functions. 


Lawful basis for sharing information 


Information shared by the IPC with the IC 


12. 


13. 


The IC's statutory functions relate to the matters referred to at 
paragraph 4, and this MoU governs information shared by the IPC 
to assist the IC to meet those responsibilities. To the extent that 
information which the IPC proposes to share comprises personal 
data (as defined under the GDPR and DPA 2018), the IPC is a Data 
Controller and so must ensure that it has a lawful basis to share it 
and that doing so would otherwise be compliant with the data 
protection principles. 


Section 232(2) of the Investigatory Powers Act 2016 provides that 
the IPC or a Judicial Commissioner (JC) may provide advice or 
information to a public authority in relation to matters for which the 
IPC/JC are responsible. Additionally, the IC’s information gateway in 
section 131 of the Data Protection Act 2018 means that IPC is able 
(but not required) to share information with the IC which is 
necessary for the IC to discharge her functions, without breaching 
any enactment or rule of law which would otherwise prohibit or 
restrict that disclosure. 


Information shared by the IC with the IPC 


14. 


The IC, during the course of her activities, will receive information 
from a range of sources, including personal data. She will process 
all personal data in accordance with the principles of the GDPR, the 
DPA 2018 and all other applicable legislation. The IC may identify 
that information she holds, which may include personal data, ought 
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to be shared with the IPC as it would assist them in performing their 
functions and responsibilities. 


Section 132(1) of the DPA 2018 states that the IC can only share 
confidential information with others if there is lawful authority to do 
so. In this context, the information will be considered confidential if 
has been obtained, or provided to, the IC in the course of, or the 
purposes of, discharging her functions, relates to an identifiable 
individual or business, and is not otherwise available to the public 
from other sources. This therefore includes, but is not limited to, 
personal data. Section 132(2) of the DPA 2018 sets out the 
circumstances in which the IC will have the lawful authority to share 
that information with the IPC. In particular, it will be lawful in 
circumstances where: 


e The sharing was necessary for the purpose of the IC 
discharging her functions (section 132(2)(c)); 


e The sharing was made for the purposes of criminal or civil 
proceedings, however arising (section 132(2)(e)); or 


e The sharing was necessary in the public interest, taking into 
account the rights, freedoms and legitimate interests of any 
person (section 132(2)(f)). 


The IC will therefore be permitted to share information with the IPC 
in circumstances where it has determined that it is reasonably 
necessary to do so in furtherance of one of those grounds outlined 
at paragraph 15. In doing so, the IC will identify the function of the 
IPC with which that information may assist, and assess whether 
that function could reasonably be achieved without access to the 
particular information in question. In particular, where the 
information proposed for sharing with the IPC amounts to personal 
data the IC will consider whether it is necessary to provide it in an 
identifiable form in order for the IPC to perform its functions, or 
whether disclosing it in an anonymised form would suffice. 


If information to be disclosed by the IC was received by her in the 
course of discharging her functions as a designated enforcer under 
the Enterprise Act 2002, any disclosure shall be made in accordance 
with the restrictions set out in Part 9 of that Act. 
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18. Where information is to be disclosed by either party for law 
enforcement purposes under section 35(4) or (5) of the DPA 2018 
then they will only do so in accordance with an appropriate policy 
document as outlined by section 42 of the DPA 2018. 


19. The IPC is not subject to the Freedom of Information Act (FOIA) 
2000. Where a request for the disclosure of information is received 
by either Party under data protection laws or FOIA, the recipient of 
the request will seek the views of the other Party, where the 
information being sought under the request includes information 
obtained from, or shared by, the other Party notwithstanding that 
the IPC is not subject to FOIA. However, the decision to disclose or 
withhold the information (and therefore any liability arising out of 
that decision) remains with the party in receipt of the request as 
Data Controller in respect of that data. 


Method of exchange 


20. Appropriate security measures shall be agreed to protect 
information transfers in accordance with the sensitivity of the 
information and any classification that is applied by the sender. 


Confidentiality and data breach reporting 


21. Where confidential material is shared between the Parties it will be 
marked with the appropriate security classification and, where 
appropriate, handling conditions. 


22. Unless it would be inconsistent with its legal obligations, where one 
Party has received information from the other, it will use it best 
endeavours to consult with the other Party before passing the 
information to a third party or using the information in an 
enforcement proceeding or court case. 


23. Where confidential material obtained from, or shared by, the 
originating Party is wrongfully disclosed by the receiving Party, this 
Party will bring this to the attention of the originating Party without 
delay. This is in addition to obligations to report a personal data 
breach under the GDPR and/or DPA 2018 where personal data is 
contained in the information disclosed. 
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Duration and review of the MoU 


24. The Parties will monitor the operation of this MoU and will review it 
biennially. 


25. Any minor changes to this memorandum identified between reviews 
may be agreed in writing between the Parties. 


26. Any issues arising in relation to this memorandum will be notified to 
the point of contact for each Party. 
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Annex A 


Key contacts 


1. The parties have both identified a single point of contact for this 
MoU: 

2. 
Information Investigatory Powers 
Commissioner's Office Commissioner's Office 


oe The nominated points of contact for each party will maintain an 
open dialogue between each other in order to ensure that the MoU 
remains effective and fit for purpose. They will also seek to identify 
ways to continuously strengthen the Parties’ working relationship. 


Signatories 


Director/Executive Chief Executive/ 

Director /Commissioner Investigatory Powers 
Commissioner Investigatory 
Powers Commissioner's Office 


Date: 22 December 2020 


Date: 14 December 2020 


